More “BadNews” for Android: New malicious apps found in Google Play

The code family used to push malware circulated as early as June 2012.

The family of Android malware that slipped past security defenses and infiltrated Google Play is more widespread than previously thought. New evidence shows it was folded into three additional apps and has been operating for at least 10 months, according to security researchers.

BadNews, as the malicious ad network library is called, has been included in at least 35 different apps that were available on Google servers for download, researchers from antivirus provider Bitdefender said Monday. As Ars reported last week, figures provided by Google showed they had been downloaded anywhere from two million to nine million times. Although Google had removed 32 apps as of Friday, company security personnel didn't remove the additional three apps until they were flagged this weekend by Bitdefender. Apps that contain the BadNews code upload phone numbers, unique device identifiers, and other data from infected phones and then present end users with prompts to download and install fake updates for legitimate applications such as Skype.

It's unclear why Google employees removed the additional apps only after Bitdefender discovered them. It's possible that the code uses polymorphism to keep from displaying tell-tale signatures that could be caught by Bouncer, the cloud-based scanning service Google unveiled last year. A more depressing possibility is that the company didn't run a new set of scans on its existing base of offerings after receiving last week's report. Google representatives declined to comment on the record about the Bitdefender report.

"We've been saying for a while that there's aggressive adware that collects your data, collects all kinds of stuff on you, but now you can actually bypass Google security by using the custom-made adware framework," Bitdefender researcher Liviu Arsene told Ars. "As long as I convince enough developers to use my adware framework, I can push any type of content I want through that framework."

Among the malicious apps promoted by BadNews is AlphaSMS, a trojan that racks up charges by sending text messages to pricey services. Arsene said the malicious BadNews code library used to push such apps has been in existence since at least June 2012, although some of the apps that included it didn't initially display the fake update notifications.

"Although it didn't feature the push notification telling users to install fake updates—like the Skype update, for instance—it did have the function built into it," he explained. "It was kind of like someone was testing it but they didn't actually go along and have the malware. Somebody was testing the adware framework before it actually went and disseminated malware."

The revelation that some of the malicious functionality was never activated means that some users infected by BadNews may never have noticed anything awry. Even after a malicious update is displayed on an infected device, the user must specifically choose to download and install it and must have configured the phone to install apps from third-party sources. Still, while many Android users in the US rely solely on Google Play, third-party sources are much more popular in China and other countries. Ultimately, there's no independent way to know just how many end users may have fallen for the ruse.

The takeaway for Android users is to consider running a smartphone antivirus app. The Bitdefender product has been detecting BadNews code since June 2012 as Android.Trojan.InfoStealer.AK, Arsene said. Apps from other AV providers, including Lookout Mobile Security, also detect the BadNews apps. Users should think long and hard before allowing their devices to install apps from sources other than Google Play. The fact that the service has been hosting malicious titles for almost a year suggests this protection is by no means ironclad. Still, it can add an important layer of defense even when malicious apps do sneak past Google defenses.

Update: The three additional apps discovered by Bitdefender are titled ru.yoya.anekdot, com.hellow.world, and zh.studio. Lookout has a list of the 32 other apps here.

102 Reader Comments

Or consider not installing superfluous apps whose origin is unclear. Kind of like on your home PC, don't go clicking and downloading everything you see. Unfortunately too many PC users and smartphone users are a bit short on common sense.

Or consider not installing superfluous apps whose origin is unclear. Kind of like on your home PC, don't go clicking and downloading everything you see. Unfortunately too many PC users and smartphone users are a bit short on common sense.

Yes, you should only install apps from a trusted source like Google Play! oh wait...

Or consider not installing superfluous apps whose origin is unclear. Kind of like on your home PC, don't go clicking and downloading everything you see. Unfortunately too many PC users and smartphone users are a bit short on common sense.

Yes, you should only install apps from a trusted source like Google Play! oh wait...

Actually, that's sound advice. Origin doesn't mean where you get the app from, but who made it. Installing something from Adobe, Autodesk, or Facebook should be fine. Installing something from Joe3452200 who has no reviews or doesn't clearly state what the app is for is asking for trouble.

When are some people going to admit that Apple's more stringent rules about installing apps has substantial benefits for users? Most normal users don't WANT to have to understand things such as this and deal with it. Yes, I know there are a relatively small group of people who want to latitude to install whatever they want from whatever source, but it's a trade-off. Can't you at least admit the trade-off and concede that for a LOT OF PEOPLE, Apple's way is a legitimate choice that works out better for them?

Why is there never any list or link to a list in these types of articles of the affected software? I've checked the list of 32, but what are the new 3? I'm guessing it will be more shady looking or Russian apps like the previous list.

When are some people going to admit that Apple's more stringent rules about installing apps has substantial benefits for users? Most normal users don't WANT to have to understand things such as this and deal with it. Yes, I know there are a relatively small group of people who want to latitude to install whatever they want from whatever source, but it's a trade-off. Can't you at least admit the trade-off and concede that for a LOT OF PEOPLE, Apple's way is a legitimate choice that works out better for them?

I agree somewhat, but things still slip by and according to a recent study iOS apps were more likely to leak data than Android. I also think it better to have an informed public than one protected by a walled garden.

When are some people going to admit that Apple's more stringent rules about installing apps has substantial benefits for users? Most normal users don't WANT to have to understand things such as this and deal with it. Yes, I know there are a relatively small group of people who want to latitude to install whatever they want from whatever source, but it's a trade-off. Can't you at least admit the trade-off and concede that for a LOT OF PEOPLE, Apple's way is a legitimate choice that works out better for them?

The problem with Apple's way, is it is insanely restrictive and gives first priority to software that is made by Apple. It is exactly the type of stuff MS has been sued and fined for over the years. Apple can make all their own apps work really well together, while not letting 3rd party apps have the same level of access. This prevents certain bad situations, like the one facing android, but it locks out lots of legit apps from being way more powerful than they could be.

Or consider not installing superfluous apps whose origin is unclear. Kind of like on your home PC, don't go clicking and downloading everything you see. Unfortunately too many PC users and smartphone users are a bit short on common sense.

This. Is there a list of the apps available? I would like to know if there is even a remote chance I would install one of them. Most likely not.

But yeah its still a bit disconcerting one advantage of the app world is that its pretty safe to install even lesser known apps ( for example metro systems or offline maps of foreign cities you are visiting)

Indeed a full list would be nice (repackaged open source apps? fart apps?)

Antivirus heuristics aren't magical and they'll always let some malware through, nothing new here. I don't know exactly what Apple do to avoid this problem, do they have an army of analysts manually studying each app in detail, or is it the dev fee scaring the bad guys?

Anyway, what google could do now would be to seriously improve the user review section in the play store. Users tend to warn other people about their bad experience. For a start they could look at the way Amazon does it...

Would have been nice to add that from ars as well. The general takeaway is:

Of the 32 apps 2/3 are in Russian.

One of them with the second highest number of downloads has the package name air.buttSex ( are those kind of apps really available on the play store? )

So to summarize a lot of stuff about not much. Would be good to add the list of apps to the "article" to put it into perspective. Apart from that it reads more like a BitDefender marketing message. At least a bit of digging would be nice.

Or consider not installing superfluous apps whose origin is unclear. Kind of like on your home PC, don't go clicking and downloading everything you see. Unfortunately too many PC users and smartphone users are a bit short on common sense.

Make sure that all the apps that you deem normative-fluorous are produced and distributed by parties that also maintain their computers to your exacting standard. You should also check that the entire toolchain is clear. Keep an eye on the advertising and caching networks used by your, and all your software producer's, favorite websites.

"As the BadNews bug appears to have been distributed as an ad framework for developers to use, it’s unclear how many of the infected apps were built primarily for malicious reasons. It’s quite possible that some of the apps were built by well-meaning developers who just made a bad decision on an ad provider."

One of them with the second highest number of downloads has the package name air.buttSex ( are those kind of apps really available on the play store? )

So to summarize a lot of stuff about not much.

Do you think Google's Bouncer scrutinizes these apps less than the ones you prefer to install? Do you think popularity is some indication of increased scrutiny by Google or third parties?

I'd say the key point of the article is that malicious code has been in the Play store and undetected for almost a year. The fact that you weren't personally targeted by these attackers isn't that interesting.

And no, I don't think any other platform's stores are immune or necessarily better in any way. We've got an unsolved problem here, with no reasonable solution in sight.

When are some people going to admit that Apple's more stringent rules about installing apps has substantial benefits for users?

I dunno, two weeks ago? A year?

Quote:

Most normal users don't WANT to have to understand things such as this and deal with it.

What do these super majorities have to do with those of us who do understand such things and are willing deal with them? Most Windows users don't want to understand command lines or other such things; do you need LINUX users to admit that for some reason? And if they already have, are you going to continue to post such inane questions?

Quote:

Yes, I know there are a relatively small group of people who want to latitude to install whatever they want from whatever source, but it's a trade-off.

Everything is a tradeoff. You're preaching to all the choirs here. In fact, on a technonerdgasm site, I can't think of a better use for that metaphor.

Quote:

Can't you at least admit the trade-off and concede that for a LOT OF PEOPLE, Apple's way is a legitimate choice that works out better for them?

Aside from the fact that many Android users are happy to admit that there are tradeoffs to using the Android OS - including a healthy dose of vigilance and forethought - what does this admission do for you? Are you really so hard up for validation that you have to beg people to admit something that has already been said, by Android and iOS users, bloggers, and tech writers alike? Or does “some people” mean specific people who you see as stubborn holdouts that appear to be forcing Android down the masses’ throats?

Why do you keep getting this story incorrect. This has very little to do with the apps but the ad networks they use. Should Google restrict API access to device identifiers (IMEI, s/n, etc....) YES... but the apps are asking for all the correct permissions and without their malicious ad network are nothing more than an app that asks for too many permissions.

The apps ask for all the permissions and people say "OK"... if a background app asks for your contacts then there is a problem.

Just like bad apps on any other device can leak contacts and other information these apps are doing the same thing, except in turn leaking them to a malicious ad network that is also then sending out links to download an actual bigger payload.

All in all the data leaks have been seen in almost every other platform to date - except the data is leaking to a 3rd party (ad network) and not necessarily to the app developers systems.

To add to this there is no way for the bouncer program to get these apps as they are not doing anything "wrong" per say.... and they are not infecting or trying to infect the devices with anything...

When are some people going to admit that Apple's more stringent rules about installing apps has substantial benefits for users? Most normal users don't WANT to have to understand things such as this and deal with it. Yes, I know there are a relatively small group of people who want to latitude to install whatever they want from whatever source, but it's a trade-off. Can't you at least admit the trade-off and concede that for a LOT OF PEOPLE, Apple's way is a legitimate choice that works out better for them?

Because Apple's rules don't stop at what the app does. Apple's rules have had a very adverse effect on apps that they don't like, such as the sweatshop game, and has app developers sweating up a storm anytime they think about putting anything that might be edgy, such as the Saga #12 story.

Apple has a chilling effect on app devs and content providers. I hate to say it, but it's kinda like a modern church. You have to wear this, be this, talk like this, drive this, and Lord help you if you break any of the rules. Apple's rules are causing creators and devs to think twice before using iOS as the main vehicle for their app.

This also ignores a major vector of attack. Websites can host and deploy malicious content. Unless Apple is willing to invest in a whitelist, there's no way to police the web. iOS user may actually be more likely to get infected that way than by an app, because they will think that they're safe (and before you try to argue this point it might be useful to look at human history. Rome comes to mind, the Titanic too.) They aren't watching for those things. "It's iOS it can't get infected." "It's a Mac, it can't get infected." Seem familiar?

In short, Apple's model has some benefits, but I wouldn't call them major ones. Flexibility and an understanding that the world is a scary place that will eat you if you're not careful can go a hell of a lot further.

I agree with your point on apple's rules. Next paycheck I'm buying a Nexus 7, purely because I want to make free and useful apps (and paid ones when I can make something polished) without having to jump through all the hoops that apple requires. Programming is fun. Seeing people use your program is even funner. Going through apples "red tape", even if your app is of low quality and few people may use it, is not fun. Often it just gets in the way.

When are some people going to admit that Apple's more stringent rules about installing apps has substantial benefits for users?

This doesn't follow. The problem is Google's lack of proper screening for software that gets put into the Play Store, not that users can install from sources other than Play.

Quote:

Most normal users don't WANT to have to understand things such as this and deal with it.

Fine. I'm not them.

Quote:

Yes, I know there are a relatively small group of people who want to latitude to install whatever they want from whatever source, but it's a trade-off. Can't you at least admit the trade-off and concede that for a LOT OF PEOPLE, Apple's way is a legitimate choice that works out better for them?

Except you've completely missed the boat on this article. Of course, everyone misses the boat when they try to defend Apple's lock down.

I agree somewhat, but things still slip by and according to a recent study iOS apps were more likely to leak data than Android. I also think it better to have an informed public than one protected by a walled garden.

There are a lot of "studies" that are flat out wrong or completely ignore the nuances such as you cannot access location, address book, calendar, photos, etc on iOS without explicit permission from the user for each category. On Android the permissions are "all permissions the app requested" or you can't install the app, period.

Or consider not installing superfluous apps whose origin is unclear. Kind of like on your home PC, don't go clicking and downloading everything you see. Unfortunately too many PC users and smartphone users are a bit short on common sense.

Make sure that all the apps that you deem normative-fluorous are produced and distributed by parties that also maintain their computers to your exacting standard. You should also check that the entire toolchain is clear. Keep an eye on the advertising and caching networks used by your, and all your software producer's, favorite websites.

See, security is easy.

Only death is 100% certain. But you seem to be pretty safe by not installing russian buttsex applications. If pretty safe is not good enough for you you need to get further of course.

Because Target's rules don't stop at what the product does. Target's rules have had a very adverse effect on products that they don't like, such as the sweatshop game, and has manufacturers sweating up a storm anytime they think about selling anything to Target that might be edgy, such as the Saga #12 story

Target has a chilling effect on goods producers and writers. I hate to say it, but it's kinda like a modern church. You have to wear this, be this, talk like this, drive this, and Lord help you if you break any of the rules. Target's rules are causing producers and writers to think twice before using Target as the main store for their product.

In short, Target's model has some benefits, but I wouldn't call them major ones. Flexibility and an understanding that the world is a scary place that will eat you if you're not careful can go a hell of a lot further.

It sounds like you'd prefer shopping at a flea market over Target. To each their own.

Would have been nice to add that from ars as well. The general takeaway is:

Of the 32 apps 2/3 are in Russian.

One of them with the second highest number of downloads has the package name air.buttSex ( are those kind of apps really available on the play store? )

So to summarize a lot of stuff about not much. Would be good to add the list of apps to the "article" to put it into perspective. Apart from that it reads more like a BitDefender marketing message. At least a bit of digging would be nice.

Yeah except for 2 with normal names, you would have to be an idiot to install any of them.

One of them with the second highest number of downloads has the package name air.buttSex ( are those kind of apps really available on the play store? )

So to summarize a lot of stuff about not much.

Do you think Google's Bouncer scrutinizes these apps less than the ones you prefer to install? Do you think popularity is some indication of increased scrutiny by Google or third parties?

??? Bouncer was never a 100% secure thing. It is an additional level of security. You get the main security from the fact that you have a centrally managed store with the ability by said authority to pull apps.

1) If someone has made a very successful app he has a monetary incentive not to loose his ability to sell (or show ads) more apps in the appstore by including malware. So if you download apps with good reputation and lots of downloads you are pretty safe

2) If an app is identified as containing malware it will be pulled. Since it is not very probable that a new app will get millions of downloads you will normally only have a very small number of infected users. Not much help to the small number of infected users but for the overall population you are pretty safe.

3) Normally malware will be found out soon so if you only use apps from less safe publishers that have been in the app store a while you are again pretty safe.

4) This was a new attack vector. You can be sure google will block the specific way that was used soon.

In the end if you normally use apps that - are published by companies with good reputation (google, facebook, ... )- have a large number of dowloads- and or have been in the appstore for a long time.

Your chances of being infected are close to zero. I would really really like some numbers for that. I am pretty sure ( and I am pulling the number out of my behind, substitute a very high percentage of) 97% of Android users never had any malware infection. Are the remaining 3% enough reason to go into Apple's walled garden? Not for me. But it may be for other people. And that is fine. I like the Apple ecosystem as well. But this is completely blown out of proportions.

In the end we could only solve the question by getting some hard data on how many Android users actually got a Malware infection from the official Play store and had some monetary or personal problem from it. (like somebody taking over their account or stealing money or sending SMS ... )

I am willing to bet this number is pretty close to 0 and all of this is hysterics. I may however be wrong and the number is high in that case critics would have a point. But without data this is a futile discussion.

Everyone should consider installing DroidWall or similar app on their devices and use it. That prevents any and all apps from accessing the network unless you allow them. But of course if you are wise enough to be using a protective measure like Droidwall, you are probably not installing random Russian apps anyway.

??? Bouncer was never a 100% secure thing. It is an additional level of security. You get the main security from the fact that you have a centrally managed store with the ability by said authority to pull apps.

Bouncer is Google Play's only proactive security layer, and the ability to pull apps after the fact doesn't do anything for the "two million to nine million" installs of these apps. Google isn't pulling them off your phone.

Quote:

1) If someone has made a very successful app he has a monetary incentive not to loose his ability to sell (or show ads) more apps in the appstore by including malware. So if you download apps with good reputation and lots of downloads you are pretty safe

Developer accounts aren't that precious that someone couldn't see a benefit in selling user data out the back end while making whatever other money through the front door. And there's also the possibility here that legit but naive developers were victimized here too.

Quote:

2) If an app is identified as containing malware it will be pulled. Since it is not very probable that a new app will get millions of downloads you will normally only have a very small number of infected users. Not much help to the small number of infected users but for the overall population you are pretty safe.

Again, from the article, Google's own numbers show 2 to 9 million downloads, and precisely zero of those installs have been affected by the apps being pulled from the Play store.

Quote:

3) Normally malware will be found out soon so if you only use apps from less safe publishers that have been in the app store a while you are again pretty safe.

Normally nothing; 35 apps, up to 10 months in the store.

Quote:

4) This was a new attack vector. You can be sure google will block the specific way that was used soon.

They'll pull apps they can identify as having this library, but the specific way it was used was to advertise actively malicious non-Play store apps and ship out IMEI numbers and contacts. None of that is hard, and unless Google does the smart thing and protects the IMEI and serial number data, there's nothing it can do to mitigate any of this in general.

Quote:

In the end if you normally use apps that - are published by companies with good reputation (google, facebook, ... )- have a large number of dowloads- and or have been in the appstore for a long time.

Facebook is a good example of publicly accepted privacy-violating malware, but I digress. More to the point, if 10 months and millions of downloads isn't enough, I don't know what is.

Quote:

Your chances of being infected are close to zero. I would really really like some numbers for that. I am pretty sure ( and I am pulling the number out of my behind, substitute a very high percentage of) 97% of Android users never had any malware infection. Are the remaining 3% enough reason to go into Apple's walled garden? Not for me. But it may be for other people. And that is fine. I like the Apple ecosystem as well. But this is completely blown out of proportions.

I'm not taking it on faith that Apple's walled garden is free of software that uses data inappropriately, although they do seem to have eliminated the risk of developers tracking uses via IMEI numbers. But you seem to be looking at this situation and saying, "no more than 9 million infections before Google stopped new ones, great!" where I bet malware authors are seeing the same data and saying, "at least 2 million installs; hmm, this looks ripe for exploration." No, a phone with 10 name-brand apps installed will probably never risk this sort of infection. Free games, chat clients etc. are going to reach a huge audience, however, and I don't see how blaming the user is helpful.